I asked a question here about this, however I did not really get a full answer there and was pointed towards this site. So does Mozilla put lightweight themes through the same, or at least similar, review process to that of full themes and normal add-ons? Or are there at least any checks for malicious code before the publishing of a lightweight theme?
If there are not, then this should be made clear, and perhaps there should be some sorts of checks, even if that’s scanning the images with a service like VirusTotal or some sort of heuristics- and signature-based malware detection platform.
So they are not checked for anything malicious as images can contain malicious code which normally exploits something in the image handler? You won’t believe the amount of phishing scripts I’ve got from images going into my cache… In fact images are currently the most popular, and one of the most affective ways of transmitting malware… So I hope that I can get some assurance that the images are just images, and there’s nothing more to them.
Given the size limitations it would be rather hard I’d think. 3000px by 200px, PNG or JPG and 300KB or smaller. You’d have to write some pretty tight malware to fit. The footer is 100px instead of 200px, but otherwise the same requirements.
It may be hard and unlikely, however it is still possible, so are you telling me that there are no malware checks of any kind on these images due to the unlikely hood of any malware being there? Because if the image is so small, then the checks should be small too and minimal, however, there still should be some checks, just in case.
Well, I don’t know of any new specific exploits that Mozilla doesn’t know about, however, I still think that if it’s possible, it should be checked, and if the images really are so small then it shouldn’t be such a big deal to check.
Both exploits are over a decade old, have been patched, and neither were found in the wild before being exploited. Meaning, if there ever is another one found then Mozilla can scan for the issue until a patch is created for it, until then, it’s undue load.
Images (by themselves) are a terrible way to transmit malware. In the 1990s image handling code used stack buffers, and a stack buffer overflow could change program execution with data from the image. In that environment a standalone image could lead to an exploit.
These days we use allocated heap buffers, and a wild heap buffer overflow will have unpredictable results. It takes a lot of script execution to prepare the memory state so that a heap corruption bug can be a reliable exploit (especially with modern compiler and OS exploit mitigations), and lightweight themes have no scripts. In addition, the image formats we use are stable and well tested. They are old formats and security researchers have been beating on them for years.
If a lightweight theme passes review you don’t need to worry about them.
We do run virus scans on our download servers. Mostly it’s for the add-ons and Firefox itself (just in case!), but if by some chance someone includes a malicious image that doesn’t affect the reviewer but is still a latent exploit then it should be caught in that pass.